RA: Don't reuse authzs with mismatched profiles (#7967)

In the RA, inspect the profile of all authorizations returned when looking for authz reuse, and refuse to reuse any whose profile doesn't match the requested profile of the current NewOrder request. Fixes #7949
letsencrypt · Feb 3, 2025 · 6695895 · 6695895
1 parent 1d26015
commit 6695895
Show file tree

Hide file tree

Showing 6 changed files with 774 additions and 688 deletions.
diff --git a/ra/ra.go b/ra/ra.go
@@ -2256,13 +2256,15 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 			RegistrationID: newOrder.RegistrationID,
 			ValidUntil:     timestamppb.New(authzExpiryCutoff),
 			DnsNames:       newOrder.DnsNames,
+			Profile:        req.CertificateProfileName,
 		}
 		existingAuthz, err = ra.SA.GetValidAuthorizations2(ctx, getAuthReq)
 	} else {
 		getAuthReq := &sapb.GetAuthorizationsRequest{
 			RegistrationID: newOrder.RegistrationID,
 			ValidUntil:     timestamppb.New(authzExpiryCutoff),
 			DnsNames:       newOrder.DnsNames,
+			Profile:        req.CertificateProfileName,
 		}
 		existingAuthz, err = ra.SA.GetAuthorizations2(ctx, getAuthReq)
 	}
@@ -2288,6 +2290,11 @@ func (ra *RegistrationAuthorityImpl) NewOrder(ctx context.Context, req *rapb.New
 			missingAuthzIdents = append(missingAuthzIdents, ident)
 			continue
 		}
+		// If the authz is associated with the wrong profile, don't reuse it.
+		if authz.CertificateProfileName != req.CertificateProfileName {
+			missingAuthzIdents = append(missingAuthzIdents, ident)
+			continue
+		}
 		authzAge := (ra.authorizationLifetime - authz.Expires.Sub(ra.clk.Now())).Seconds()
 		// If the identifier is a wildcard and the existing authz only has one
 		// DNS-01 type challenge we can reuse it. In theory we will

diff --git a/ra/ra_test.go b/ra/ra_test.go
@@ -1379,10 +1379,10 @@ func TestNewOrder(t *testing.T) {
 	test.AssertEquals(t, err.Error(), "Cannot issue for \"a\": Domain name needs at least one dot")
 }
 
-// TestNewOrderReuse tests that subsequent requests by an ACME account to create
+// TestNewOrder_OrderReuse tests that subsequent requests by an ACME account to create
 // an identical order results in only one order being created & subsequently
 // reused.
-func TestNewOrder_OrderReusex(t *testing.T) {
+func TestNewOrder_OrderReuse(t *testing.T) {
 	_, _, ra, _, _, cleanUp := initAuthorities(t)
 	defer cleanUp()
 
@@ -1590,6 +1590,7 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
 		Name           string
 		RegistrationID int64
 		DnsName        string
+		Profile        string
 		ExpectReuse    bool
 	}{
 		{
@@ -1610,6 +1611,13 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
 			DnsName:        invalid,
 			ExpectReuse:    false,
 		},
+		{
+			Name:           "Don't reuse valid authz with wrong profile",
+			RegistrationID: Registration.Id,
+			DnsName:        valid,
+			Profile:        "test",
+			ExpectReuse:    false,
+		},
 		{
 			Name:           "Don't reuse valid authz from other acct",
 			RegistrationID: secondReg.Id,
@@ -1621,8 +1629,9 @@ func TestNewOrder_AuthzReuse(t *testing.T) {
 	for _, tc := range testCases {
 		t.Run(tc.Name, func(t *testing.T) {
 			new, err := ra.NewOrder(context.Background(), &rapb.NewOrderRequest{
-				RegistrationID: tc.RegistrationID,
-				DnsNames:       []string{tc.DnsName},
+				RegistrationID:         tc.RegistrationID,
+				DnsNames:               []string{tc.DnsName},
+				CertificateProfileName: tc.Profile,
 			})
 			test.AssertNotError(t, err, "creating test order")
 			test.AssertNotEquals(t, new.Id, extant.Id)