CAA: Handle issuemail (RFC 9495)
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/push Build is passing
Details
This commit is contained in:
parent
205d890f32
commit
82067201f4
|
@ -81,6 +81,8 @@ type CAA struct {
|
|||
Issue []CAAIssueValue
|
||||
DisallowWildcardIssue bool
|
||||
IssueWild []CAAIssueValue
|
||||
DisallowMailIssue bool
|
||||
IssueMail []CAAIssueValue
|
||||
Iodef []*common.URL
|
||||
}
|
||||
|
||||
|
@ -98,19 +100,25 @@ func (s *CAA) GetNbResources() int {
|
|||
}
|
||||
}
|
||||
|
||||
if s.DisallowMailIssue {
|
||||
nb += 1
|
||||
} else {
|
||||
nb += len(s.IssueMail)
|
||||
}
|
||||
|
||||
return nb + len(s.Iodef)
|
||||
}
|
||||
|
||||
func (s *CAA) GenComment(origin string) string {
|
||||
func (s *CAA) GenComment(origin string) (ret string) {
|
||||
if s.DisallowIssue {
|
||||
return "Certificate issuance disallowed"
|
||||
ret = "Certificate issuance disallowed"
|
||||
} else {
|
||||
var issuance []string
|
||||
for _, iss := range s.Issue {
|
||||
issuance = append(issuance, iss.IssuerDomainName)
|
||||
}
|
||||
|
||||
ret := strings.Join(issuance, ", ")
|
||||
ret = strings.Join(issuance, ", ")
|
||||
|
||||
if s.DisallowWildcardIssue {
|
||||
if ret != "" {
|
||||
|
@ -129,9 +137,27 @@ func (s *CAA) GenComment(origin string) string {
|
|||
|
||||
ret += strings.Join(issuancew, ", ")
|
||||
}
|
||||
|
||||
return ret
|
||||
}
|
||||
|
||||
if s.DisallowMailIssue {
|
||||
if ret != "" {
|
||||
ret += "; "
|
||||
}
|
||||
ret += "S/MIME issuance disallowed"
|
||||
} else if len(s.IssueMail) > 0 {
|
||||
if ret != "" {
|
||||
ret += "; S/MIME: "
|
||||
}
|
||||
|
||||
var issuancem []string
|
||||
for _, iss := range s.IssueMail {
|
||||
issuancem = append(issuancem, iss.IssuerDomainName)
|
||||
}
|
||||
|
||||
ret += strings.Join(issuancem, ", ")
|
||||
}
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
func (s *CAA) GenRRs(domain string, ttl uint32, origin string) (rrs models.Records) {
|
||||
|
@ -171,6 +197,24 @@ func (s *CAA) GenRRs(domain string, ttl uint32, origin string) (rrs models.Recor
|
|||
}
|
||||
}
|
||||
|
||||
if s.DisallowMailIssue {
|
||||
rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
|
||||
rc.CaaFlag = 0
|
||||
rc.CaaTag = "issuemail"
|
||||
rc.SetTarget(";")
|
||||
|
||||
rrs = append(rrs, rc)
|
||||
} else {
|
||||
for _, issue := range s.IssueMail {
|
||||
rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
|
||||
rc.CaaFlag = 0
|
||||
rc.CaaTag = "issuemail"
|
||||
rc.SetTarget(issue.String())
|
||||
|
||||
rrs = append(rrs, rc)
|
||||
}
|
||||
}
|
||||
|
||||
if len(s.Iodef) > 0 {
|
||||
for _, iodef := range s.Iodef {
|
||||
rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
|
||||
|
|
|
@ -92,7 +92,7 @@
|
|||
</Alert>
|
||||
{/if}
|
||||
|
||||
<h4>{$t("resources.CAA.wild-issuers")}</h4>
|
||||
<h4 class="mt-4">{$t("resources.CAA.wild-issuers")}</h4>
|
||||
|
||||
<FormGroup>
|
||||
<Input id="wildcardissuedisabled" type="checkbox" label={$t("resources.CAA.no-wild-hint")} bind:checked={value.DisallowWildcardIssue} />
|
||||
|
@ -142,7 +142,51 @@
|
|||
</Alert>
|
||||
{/if}
|
||||
|
||||
<h4>{$t("resources.CAA.incident-response")}</h4>
|
||||
<h4 class="mt-4">{$t("resources.CAA.mail-issuers")}</h4>
|
||||
|
||||
<FormGroup>
|
||||
<Input id="mailissuedisabled" type="checkbox" label={$t("resources.CAA.no-mail-hint")} bind:checked={value.DisallowMailIssue} />
|
||||
</FormGroup>
|
||||
|
||||
{#if !value.DisallowMailIssue && !value.IssueMail}
|
||||
<Alert color="warning" fade={false}>
|
||||
<strong>{$t("resources.CAA.mail-all-allowed-title")}</strong> {$t("resources.CAA.mail-all-allowed-body")}
|
||||
</Alert>
|
||||
{/if}
|
||||
|
||||
<h5>
|
||||
{$t("resources.CAA.auth-issuers")}
|
||||
</h5>
|
||||
|
||||
{#if !value.DisallowMailIssue}
|
||||
<ul>
|
||||
{#if value.IssueMail}
|
||||
{#each value.IssueMail as issue, k}
|
||||
<li class="mb-3">
|
||||
<CAAIssuer
|
||||
{readonly}
|
||||
bind:value={value.IssueMail[k]}
|
||||
on:delete-issuer={() => {value.IssueMail.splice(k, 1); value = value;}}
|
||||
/>
|
||||
</li>
|
||||
{/each}
|
||||
{/if}
|
||||
{#if !readonly}
|
||||
<li style:list-style="'+ '">
|
||||
<CAAIssuer
|
||||
newone
|
||||
on:add-issuer={(e) => {if (!value.IssueMail) value.IssueMail = []; value.IssueMail.push(e.detail); value = value;}}
|
||||
/>
|
||||
</li>
|
||||
{/if}
|
||||
</ul>
|
||||
{:else}
|
||||
<Alert color="danger" fade={false}>
|
||||
<strong>{$t("resources.CAA.no-mail-title")}</strong> {$t("resources.CAA.no-mail-body")}
|
||||
</Alert>
|
||||
{/if}
|
||||
|
||||
<h4 class="mt-4">{$t("resources.CAA.incident-response")}</h4>
|
||||
|
||||
<p>
|
||||
{$t("resources.CAA.incident-response-text")}
|
||||
|
|
|
@ -264,9 +264,15 @@
|
|||
"auth-issuers": "Authorized Issuers",
|
||||
"incident-response": "Incident Response",
|
||||
"incident-response-text": "How would you want to be contacted in case of violation of the current security policy?",
|
||||
"mail-issuers": "S/MIME certificates issuance",
|
||||
"mail-all-allowed-title": "No CA constraint for S/MIME certificates issuance.",
|
||||
"mail-all-allowed-body": "All CA can emit S/MIME certificates for your domain. You should disallow or restrict to certain CA. S/MIME certificates are used for example to sign and encrypt e-mail communications. If you do not use such certificate, you should disallow their issuance.",
|
||||
"no-issuers-hint": "Disallow any certificate issuance",
|
||||
"no-issuers-title": "No issuer authorized.",
|
||||
"no-issuers-body": "With those parameters, no issuer is allowed to create certificate for this subdomain.",
|
||||
"no-mail-hint": "Disallow S/MIME certificate issuance",
|
||||
"no-mail-title": "No issuer authorized for S/MIME certificate.",
|
||||
"no-mail-body": "With those parameters, no issuer is authorized to create S/MIME certificate for this domain and subdomain.",
|
||||
"no-wild-hint": "Disallow wildcard certificate issuance",
|
||||
"no-wild-title": "No wildcard issuer authorized.",
|
||||
"no-wild-body": "With those parameters, no issuer is authorized to create wildcard certificate for this domain and subdomain. But this can be override with the following settings:",
|
||||
|
|
|
@ -258,9 +258,15 @@
|
|||
"auth-issuers": "Émetteurs autorisés",
|
||||
"incident-response": "Réponse aux incidents",
|
||||
"incident-response-text": "Comment souhaitez-vous être contacté en cas de violation de la politique de sécurité actuelle ?",
|
||||
"mail-issuers": "Délivrance de certificats S/MIME",
|
||||
"mail-all-allowed-title": "Toutes les autorités de certification peuvent émettre des certiticats S/MIME sans restriction.",
|
||||
"mail-all-allowed-body": "Toutes les autorités de certification peuvent émettre des certiticats S/MIME pour votre domaine. Vous devriez interdire ou restreindre à certaines autorités. Les certificats S/MIME sont utilisés par exemple pour signer et chiffrer les courriers électroniques. Si vous n'utilisez pas ce genre de certiticats, vous devriez interdire leur émission.",
|
||||
"no-issuers-hint": "Interdire toute délivrance de certificat",
|
||||
"no-issuers-title": "Aucun émetteur autorisé.",
|
||||
"no-issuers-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat pour ce sous-domaine.",
|
||||
"no-mail-hint": "Interdire l'émission de certiticat S/MIME",
|
||||
"no-mail-title": "Aucune émetteur de certiticat S/MIME n'est autorisé.",
|
||||
"no-mail-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat S/MIME pour ce sous-domaine.",
|
||||
"no-wild-hint": "Interdire l'émission de certificats \"wildcard\"",
|
||||
"no-wild-title": "Aucun émetteur de certificats \"wildcard\" n'est autorisé.",
|
||||
"no-wild-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat \"wildcard\" pour ce domaine et ce sous-domaine. Mais cela peut être remplacé par les paramètres suivants :",
|
||||
|
|
Loading…
Reference in New Issue