From 82067201f4eaa0f65a754d5984c0cb0cf2ca3344 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sat, 3 Feb 2024 09:10:10 +0100
Subject: [PATCH] CAA: Handle issuemail (RFC 9495)

---
 services/caa.go                            | 54 ++++++++++++++++++++--
 ui/src/lib/components/resources/CAA.svelte | 48 ++++++++++++++++++-
 ui/src/lib/locales/en.json                 |  6 +++
 ui/src/lib/locales/fr.json                 |  6 +++
 4 files changed, 107 insertions(+), 7 deletions(-)

diff --git a/services/caa.go b/services/caa.go
index 0dc69ec..b39e170 100644
--- a/services/caa.go
+++ b/services/caa.go
@@ -81,6 +81,8 @@ type CAA struct {
 	Issue                 []CAAIssueValue
 	DisallowWildcardIssue bool
 	IssueWild             []CAAIssueValue
+	DisallowMailIssue     bool
+	IssueMail             []CAAIssueValue
 	Iodef                 []*common.URL
 }
 
@@ -98,19 +100,25 @@ func (s *CAA) GetNbResources() int {
 		}
 	}
 
+	if s.DisallowMailIssue {
+		nb += 1
+	} else {
+		nb += len(s.IssueMail)
+	}
+
 	return nb + len(s.Iodef)
 }
 
-func (s *CAA) GenComment(origin string) string {
+func (s *CAA) GenComment(origin string) (ret string) {
 	if s.DisallowIssue {
-		return "Certificate issuance disallowed"
+		ret = "Certificate issuance disallowed"
 	} else {
 		var issuance []string
 		for _, iss := range s.Issue {
 			issuance = append(issuance, iss.IssuerDomainName)
 		}
 
-		ret := strings.Join(issuance, ", ")
+		ret = strings.Join(issuance, ", ")
 
 		if s.DisallowWildcardIssue {
 			if ret != "" {
@@ -129,9 +137,27 @@ func (s *CAA) GenComment(origin string) string {
 
 			ret += strings.Join(issuancew, ", ")
 		}
-
-		return ret
 	}
+
+	if s.DisallowMailIssue {
+		if ret != "" {
+			ret += "; "
+		}
+		ret += "S/MIME issuance disallowed"
+	} else if len(s.IssueMail) > 0 {
+		if ret != "" {
+			ret += "; S/MIME: "
+		}
+
+		var issuancem []string
+		for _, iss := range s.IssueMail {
+			issuancem = append(issuancem, iss.IssuerDomainName)
+		}
+
+		ret += strings.Join(issuancem, ", ")
+	}
+
+	return
 }
 
 func (s *CAA) GenRRs(domain string, ttl uint32, origin string) (rrs models.Records) {
@@ -171,6 +197,24 @@ func (s *CAA) GenRRs(domain string, ttl uint32, origin string) (rrs models.Recor
 		}
 	}
 
+	if s.DisallowMailIssue {
+		rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
+		rc.CaaFlag = 0
+		rc.CaaTag = "issuemail"
+		rc.SetTarget(";")
+
+		rrs = append(rrs, rc)
+	} else {
+		for _, issue := range s.IssueMail {
+			rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
+			rc.CaaFlag = 0
+			rc.CaaTag = "issuemail"
+			rc.SetTarget(issue.String())
+
+			rrs = append(rrs, rc)
+		}
+	}
+
 	if len(s.Iodef) > 0 {
 		for _, iodef := range s.Iodef {
 			rc := utils.NewRecordConfig(domain, "CAA", ttl, origin)
diff --git a/ui/src/lib/components/resources/CAA.svelte b/ui/src/lib/components/resources/CAA.svelte
index a731e31..f41caca 100644
--- a/ui/src/lib/components/resources/CAA.svelte
+++ b/ui/src/lib/components/resources/CAA.svelte
@@ -92,7 +92,7 @@
     </Alert>
 {/if}
 
-<h4>{$t("resources.CAA.wild-issuers")}</h4>
+<h4 class="mt-4">{$t("resources.CAA.wild-issuers")}</h4>
 
 <FormGroup>
     <Input id="wildcardissuedisabled" type="checkbox" label={$t("resources.CAA.no-wild-hint")} bind:checked={value.DisallowWildcardIssue} />
@@ -142,7 +142,51 @@
     </Alert>
 {/if}
 
-<h4>{$t("resources.CAA.incident-response")}</h4>
+<h4 class="mt-4">{$t("resources.CAA.mail-issuers")}</h4>
+
+<FormGroup>
+    <Input id="mailissuedisabled" type="checkbox" label={$t("resources.CAA.no-mail-hint")} bind:checked={value.DisallowMailIssue} />
+</FormGroup>
+
+{#if !value.DisallowMailIssue && !value.IssueMail}
+    <Alert color="warning" fade={false}>
+        <strong>{$t("resources.CAA.mail-all-allowed-title")}</strong> {$t("resources.CAA.mail-all-allowed-body")}
+    </Alert>
+{/if}
+
+<h5>
+    {$t("resources.CAA.auth-issuers")}
+</h5>
+
+{#if !value.DisallowMailIssue}
+    <ul>
+        {#if value.IssueMail}
+            {#each value.IssueMail as issue, k}
+                <li class="mb-3">
+                    <CAAIssuer
+                        {readonly}
+                        bind:value={value.IssueMail[k]}
+                        on:delete-issuer={() => {value.IssueMail.splice(k, 1); value = value;}}
+                    />
+                </li>
+            {/each}
+        {/if}
+        {#if !readonly}
+            <li style:list-style="'+ '">
+                <CAAIssuer
+                    newone
+                    on:add-issuer={(e) => {if (!value.IssueMail) value.IssueMail = []; value.IssueMail.push(e.detail); value = value;}}
+                />
+            </li>
+        {/if}
+    </ul>
+{:else}
+    <Alert color="danger" fade={false}>
+        <strong>{$t("resources.CAA.no-mail-title")}</strong> {$t("resources.CAA.no-mail-body")}
+    </Alert>
+{/if}
+
+<h4 class="mt-4">{$t("resources.CAA.incident-response")}</h4>
 
 <p>
     {$t("resources.CAA.incident-response-text")}
diff --git a/ui/src/lib/locales/en.json b/ui/src/lib/locales/en.json
index b3bc96e..a252661 100644
--- a/ui/src/lib/locales/en.json
+++ b/ui/src/lib/locales/en.json
@@ -264,9 +264,15 @@
           "auth-issuers": "Authorized Issuers",
           "incident-response": "Incident Response",
           "incident-response-text": "How would you want to be contacted in case of violation of the current security policy?",
+          "mail-issuers": "S/MIME certificates issuance",
+          "mail-all-allowed-title": "No CA constraint for S/MIME certificates issuance.",
+          "mail-all-allowed-body": "All CA can emit S/MIME certificates for your domain. You should disallow or restrict to certain CA. S/MIME certificates are used for example to sign and encrypt e-mail communications. If you do not use such certificate, you should disallow their issuance.",
           "no-issuers-hint": "Disallow any certificate issuance",
           "no-issuers-title": "No issuer authorized.",
           "no-issuers-body": "With those parameters, no issuer is allowed to create certificate for this subdomain.",
+          "no-mail-hint": "Disallow S/MIME certificate issuance",
+          "no-mail-title": "No issuer authorized for S/MIME certificate.",
+          "no-mail-body": "With those parameters, no issuer is authorized to create S/MIME certificate for this domain and subdomain.",
           "no-wild-hint": "Disallow wildcard certificate issuance",
           "no-wild-title": "No wildcard issuer authorized.",
           "no-wild-body": "With those parameters, no issuer is authorized to create wildcard certificate for this domain and subdomain. But this can be override with the following settings:",
diff --git a/ui/src/lib/locales/fr.json b/ui/src/lib/locales/fr.json
index 5fe8225..82c9023 100644
--- a/ui/src/lib/locales/fr.json
+++ b/ui/src/lib/locales/fr.json
@@ -258,9 +258,15 @@
           "auth-issuers": "Émetteurs autorisés",
           "incident-response": "Réponse aux incidents",
           "incident-response-text": "Comment souhaitez-vous être contacté en cas de violation de la politique de sécurité actuelle ?",
+          "mail-issuers": "Délivrance de certificats S/MIME",
+          "mail-all-allowed-title": "Toutes les autorités de certification peuvent émettre des certiticats S/MIME sans restriction.",
+          "mail-all-allowed-body": "Toutes les autorités de certification peuvent émettre des certiticats S/MIME pour votre domaine. Vous devriez interdire ou restreindre à certaines autorités. Les certificats S/MIME sont utilisés par exemple pour signer et chiffrer les courriers électroniques. Si vous n'utilisez pas ce genre de certiticats, vous devriez interdire leur émission.",
           "no-issuers-hint": "Interdire toute délivrance de certificat",
           "no-issuers-title": "Aucun émetteur autorisé.",
           "no-issuers-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat pour ce sous-domaine.",
+          "no-mail-hint": "Interdire l'émission de certiticat S/MIME",
+          "no-mail-title": "Aucune émetteur de certiticat S/MIME n'est autorisé.",
+          "no-mail-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat S/MIME pour ce sous-domaine.",
           "no-wild-hint": "Interdire l'émission de certificats \"wildcard\"",
           "no-wild-title": "Aucun émetteur de certificats \"wildcard\" n'est autorisé.",
           "no-wild-body": "Avec ces paramètres, aucun émetteur n'est autorisé à créer un certificat \"wildcard\" pour ce domaine et ce sous-domaine. Mais cela peut être remplacé par les paramètres suivants :",