happyDomain/happyDomain
happyDomain
/
happyDomain
1
0
Fork 0
Code Issues 1 Pull Requests 10 Releases Activity

CAA: Handle issuemail (RFC 9495)
continuous-integration/drone/push Build is passing Details

This commit is contained in:
nemunaire 2024-02-03 09:10:10 +01:00
parent 205d890f32
commit 82067201f4
4 changed files with 107 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
services/caa.go
View File

@ -81,6 +81,8 @@ type CAA struct {
Issue []CAAIssueValue
DisallowWildcardIssue bool
IssueWild []CAAIssueValue
DisallowMailIssue bool
IssueMail []CAAIssueValue
Iodef []*common.URL
}
@ -98,19 +100,25 @@ func (s *CAA) GetNbResources() int {
}
}
if s.DisallowMailIssue {
nb += 1
} else {
nb += len(s.IssueMail)
}
return nb + len(s.Iodef)
}
func (s *CAA) GenComment(origin string) string {
func (s *CAA) GenComment(origin string) (ret string) {
if s.DisallowIssue {
return "Certificate issuance disallowed"
ret = "Certificate issuance disallowed"
} else {
var issuance []string
for _, iss := range s.Issue {
issuance = append(issuance, iss.IssuerDomainName)
}
ret := strings.Join(issuance, ", ")
ret = strings.Join(issuance, ", ")
if s.DisallowWildcardIssue {
if ret != "" {
@ -129,9 +137,27 @@ func (s *CAA) GenComment(origin string) string {
ret += strings.Join(issuancew, ", ")
}
return ret
}
if s.DisallowMailIssue {
if ret != "" {
ret += "; "
}
ret += "S/MIME issuance disallowed"
} else if len(s.IssueMail) > 0 {
if ret != "" {
ret += "; S/MIME: "
}
var issuancem []string
for _, iss := range s.IssueMail {
issuancem = append(issuancem, iss.IssuerDomainName)
}
ret += strings.Join(issuancem, ", ")
}
return
}
func (s *CAA) GenRRs(domain string, ttl uint32, origin string) (rrs models.Records) {
@ -171,6 +197,24 @@ func (s *CAA) GenRRs(domain string, ttl uint32, origin string) (rrs models.Recor
}
}
if s.DisallowMailIssue {
rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
rc.CaaFlag = 0
rc.CaaTag = "issuemail"
rc.SetTarget(";")
rrs = append(rrs, rc)
} else {
for _, issue := range s.IssueMail {
rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
rc.CaaFlag = 0
rc.CaaTag = "issuemail"
rc.SetTarget(issue.String())
rrs = append(rrs, rc)
}
}
if len(s.Iodef) > 0 {
for _, iodef := range s.Iodef {
rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)

48
ui/src/lib/components/resources/CAA.svelte
View File

@ -92,7 +92,7 @@
</Alert>
{/if}
<h4>{$t("resources.CAA.wild-issuers")}</h4>
<h4 class="mt-4">{$t("resources.CAA.wild-issuers")}</h4>
<FormGroup>
<Input id="wildcardissuedisabled" type="checkbox" label={$t("resources.CAA.no-wild-hint")} bind:checked={value.DisallowWildcardIssue} />
@ -142,7 +142,51 @@
</Alert>
{/if}
<h4>{$t("resources.CAA.incident-response")}</h4>
<h4 class="mt-4">{$t("resources.CAA.mail-issuers")}</h4>
<FormGroup>
<Input id="mailissuedisabled" type="checkbox" label={$t("resources.CAA.no-mail-hint")} bind:checked={value.DisallowMailIssue} />
</FormGroup>
{#if !value.DisallowMailIssue && !value.IssueMail}
<Alert color="warning" fade={false}>
<strong>{$t("resources.CAA.mail-all-allowed-title")}</strong> {$t("resources.CAA.mail-all-allowed-body")}
</Alert>
{/if}
<h5>
{$t("resources.CAA.auth-issuers")}
</h5>
{#if !value.DisallowMailIssue}
<ul>
{#if value.IssueMail}
{#each value.IssueMail as issue, k}
<li class="mb-3">
<CAAIssuer
{readonly}
bind:value={value.IssueMail[k]}
on:delete-issuer={() => {value.IssueMail.splice(k, 1); value = value;}}
/>
</li>
{/each}
{/if}
{#if !readonly}
<li style:list-style="'+ '">
<CAAIssuer
newone
on:add-issuer={(e) => {if (!value.IssueMail) value.IssueMail = []; value.IssueMail.push(e.detail); value = value;}}
/>
</li>
{/if}
</ul>
{:else}
<Alert color="danger" fade={false}>
<strong>{$t("resources.CAA.no-mail-title")}</strong> {$t("resources.CAA.no-mail-body")}
</Alert>
{/if}
<h4 class="mt-4">{$t("resources.CAA.incident-response")}</h4>
<p>
{$t("resources.CAA.incident-response-text")}

6
ui/src/lib/locales/en.json
View File

@ -264,9 +264,15 @@
"auth-issuers": "Authorized Issuers",
"incident-response": "Incident Response",
"incident-response-text": "How would you want to be contacted in case of violation of the current security policy?",
"mail-issuers": "S/MIME certificates issuance",
"mail-all-allowed-title": "No CA constraint for S/MIME certificates issuance.",
"mail-all-allowed-body": "All CA can emit S/MIME certificates for your domain. You should disallow or restrict to certain CA. S/MIME certificates are used for example to sign and encrypt e-mail communications. If you do not use such certificate, you should disallow their issuance.",
"no-issuers-hint": "Disallow any certificate issuance",
"no-issuers-title": "No issuer authorized.",
"no-issuers-body": "With those parameters, no issuer is allowed to create certificate for this subdomain.",
"no-mail-hint": "Disallow S/MIME certificate issuance",
"no-mail-title": "No issuer authorized for S/MIME certificate.",
"no-mail-body": "With those parameters, no issuer is authorized to create S/MIME certificate for this domain and subdomain.",
"no-wild-hint": "Disallow wildcard certificate issuance",
"no-wild-title": "No wildcard issuer authorized.",
"no-wild-body": "With those parameters, no issuer is authorized to create wildcard certificate for this domain and subdomain. But this can be override with the following settings:",

6
ui/src/lib/locales/fr.json
View File

@ -258,9 +258,15 @@
"auth-issuers": "Émetteurs autorisés",
"incident-response": "Réponse aux incidents",
"incident-response-text": "Comment souhaitez-vous être contacté en cas de violation de la politique de sécurité actuelle ?",
"mail-issuers": "Délivrance de certificats S/MIME",
"mail-all-allowed-title": "Toutes les autorités de certification peuvent émettre des certiticats S/MIME sans restriction.",
"mail-all-allowed-body": "Toutes les autorités de certification peuvent émettre des certiticats S/MIME pour votre domaine. Vous devriez interdire ou restreindre à certaines autorités. Les certificats S/MIME sont utilisés par exemple pour signer et chiffrer les courriers électroniques. Si vous n'utilisez pas ce genre de certiticats, vous devriez interdire leur émission.",
"no-issuers-hint": "Interdire toute délivrance de certificat",
"no-issuers-title": "Aucun émetteur autorisé.",
"no-issuers-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat pour ce sous-domaine.",
"no-mail-hint": "Interdire l'émission de certiticat S/MIME",
"no-mail-title": "Aucune émetteur de certiticat S/MIME n'est autorisé.",
"no-mail-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat S/MIME pour ce sous-domaine.",
"no-wild-hint": "Interdire l'émission de certificats \"wildcard\"",
"no-wild-title": "Aucun émetteur de certificats \"wildcard\" n'est autorisé.",
"no-wild-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat \"wildcard\" pour ce domaine et ce sous-domaine. Mais cela peut être remplacé par les paramètres suivants :",