Check MaxNames at WFE

letsencrypt · Jan 11, 2024 · 3609d28 · 3609d28
1 parent 49c2930
commit 3609d28
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 3 deletions.
diff --git a/cmd/boulder-wfe2/main.go b/cmd/boulder-wfe2/main.go
@@ -158,6 +158,13 @@ type Config struct {
 			// default rate limits.
 			Overrides string
 		}
+
+		// MaxNames is the maximum number of subjectAltNames in a single cert.
+		// The value supplied MUST be greater than 0 and no more than 100,
+		// defaults to 100. These limits are per section 7.1 of our combined
+		// CP/CPS, under "DV-SSL Subscriber Certificate". The value must match
+		// the CA and RA configurations.
+		MaxNames int `validate:"required,min=1,max=100"`
 	}
 
 	Syslog        cmd.SyslogConfig
@@ -299,6 +306,11 @@ func main() {
 	if *debugAddr != "" {
 		c.WFE.DebugAddr = *debugAddr
 	}
+	maxNames := c.WFE.MaxNames
+	if maxNames == 0 {
+		// Default to 100 names per cert.
+		maxNames = 100
+	}
 
 	certChains := map[issuance.IssuerNameID][][]byte{}
 	issuerCerts := map[issuance.IssuerNameID]*issuance.Certificate{}
@@ -396,6 +408,7 @@ func main() {
 		accountGetter,
 		limiter,
 		txnBuilder,
+		maxNames,
 	)
 	cmd.FailOnError(err, "Unable to create WFE")
 

diff --git a/ratelimits/bucket.go b/ratelimits/bucket.go
@@ -282,7 +282,11 @@ func (builder *TransactionBuilder) FailedAuthorizationsPerAccountTransaction(reg
 //
 // When a CertificatesPerDomainPerAccount override is not configured, a check-
 // and-spend Transaction is returned for each per domain bucket.
-func (builder *TransactionBuilder) CertificatesPerDomainTransactions(regId int64, orderDomains []string) ([]Transaction, error) {
+func (builder *TransactionBuilder) CertificatesPerDomainTransactions(regId int64, orderDomains []string, maxNames int) ([]Transaction, error) {
+	if len(orderDomains) > maxNames {
+		return nil, fmt.Errorf("order contains more than %d DNS names", maxNames)
+	}
+
 	perAccountLimitBucketKey, err := newRegIdBucketKey(CertificatesPerDomainPerAccount, regId)
 	if err != nil {
 		return nil, err

diff --git a/wfe2/wfe.go b/wfe2/wfe.go
@@ -170,6 +170,7 @@ type WebFrontEndImpl struct {
 	pendingAuthorizationLifetime time.Duration
 	limiter                      *ratelimits.Limiter
 	txnBuilder                   *ratelimits.TransactionBuilder
+	maxNames                     int
 }
 
 // NewWebFrontEndImpl constructs a web service for Boulder
@@ -193,6 +194,7 @@ func NewWebFrontEndImpl(
 	accountGetter AccountGetter,
 	limiter *ratelimits.Limiter,
 	txnBuilder *ratelimits.TransactionBuilder,
+	maxNames int,
 ) (WebFrontEndImpl, error) {
 	if len(issuerCertificates) == 0 {
 		return WebFrontEndImpl{}, errors.New("must provide at least one issuer certificate")
@@ -231,6 +233,7 @@ func NewWebFrontEndImpl(
 		accountGetter:                accountGetter,
 		limiter:                      limiter,
 		txnBuilder:                   txnBuilder,
+		maxNames:                     maxNames,
 	}
 
 	return wfe, nil
@@ -2090,7 +2093,7 @@ func (wfe *WebFrontEndImpl) checkNewOrderLimits(ctx context.Context, regId int64
 	}
 	transactions = append(transactions, txn)
 
-	txns, err := wfe.txnBuilder.CertificatesPerDomainTransactions(regId, names)
+	txns, err := wfe.txnBuilder.CertificatesPerDomainTransactions(regId, names, wfe.maxNames)
 	if err != nil {
 		logTxnErr(err, ratelimits.CertificatesPerDomain)
 		return nil

diff --git a/wfe2/wfe_test.go b/wfe2/wfe_test.go
@@ -425,7 +425,9 @@ func setupWFE(t *testing.T) (WebFrontEndImpl, clock.FakeClock, requestSigner) {
 		rncKey,
 		mockSA,
 		limiter,
-		txnBuilder)
+		txnBuilder,
+		100,
+	)
 	test.AssertNotError(t, err, "Unable to create WFE")
 
 	wfe.SubscriberAgreementURL = agreementURL