Skip to content

va: normalize caa parameter tags to lowercase#8616

Open
1seal wants to merge 3 commits intoletsencrypt:mainfrom
1seal:fix/caa-param-tag-case
Open

va: normalize caa parameter tags to lowercase#8616
1seal wants to merge 3 commits intoletsencrypt:mainfrom
1seal:fix/caa-param-tag-case

Conversation

@1seal
Copy link

@1seal 1seal commented Feb 2, 2026

fixes #8614.

this normalizes caa parameter tag names to lowercase during parsing, so mixed-case forms like AccountURI= and ValidationMethods= are enforced the same way as the lowercase forms.

adds regression coverage in va/caa_test.go for mixed-case accounturi and validationmethods (including issuewild).

1seal added 2 commits February 2, 2026 17:59
@1seal
va: normalize caa parameter tags to lowercase
08ba13c 
rfc 8659 specifies that property tags (issue/issuewild) are processed
case-insensitively. this change extends the same treatment to parameter
tag names (accounturi, validationmethods), so that mixed-case tags like
AccountURI= are matched correctly rather than silently ignored.
@1seal
va: test mixed-case caa parameter tags
9ac90d1 
add regression tests covering accounturi and validationmethods parameters
with mixed-case tag names, for both issue and issuewild records.
@1seal 1seal requested a review from a team as a code owner February 2, 2026 18:04
@1seal 1seal requested a review from aarongable February 2, 2026 18:04
@1seal
Copy link
Author

1seal commented Feb 2, 2026

two questions:

  1. should this change be treated as security-relevant (ghsa and/or release note)? the prior behavior (mixed-case accounturi/validationmethods being silently treated as absent) could allow issuance that domain operators intended to restrict.

  2. do you prefer confirmation from cabf/acme folks on the case-insensitive parameter-tag interpretation before merge, or is the rfc 8659 analogy (property tags are case-insensitive) sufficient?

@aarongable
Copy link
Contributor

aarongable commented Feb 2, 2026

  1. should this change be treated as security-relevant (ghsa and/or release note)? the prior behavior (mixed-case accounturi/validationmethods being silently treated as absent) could allow issuance that domain operators intended to restrict.

No, this does not rise to the level of something warranting notice, this has not affected anyone, and site operators are not generally aware of the Boulder source repository and release process.

  1. do you prefer confirmation from cabf/acme folks on the case-insensitive parameter-tag interpretation before merge, or is the rfc 8659 analogy (property tags are case-insensitive) sufficient?

See my comment on the initial bug; we'd actually like to take this a different direction.

@1seal
Copy link
Author

1seal commented Feb 2, 2026

pushed an update implementing the "fail-closed" direction:

  • removed the lowercase-normalization behavior
  • if an applicable record (issuer-domain matches) contains mis-capitalized AccountURI/ValidationMethods tags, we now deny issuance and return a message telling the applicant which lowercase tag to use
  • added a DoCAA-level test to assert the error detail is helpful

commit: e125976

@aarongable aarongable mentioned this pull request Feb 4, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aarongable aarongable Awaiting requested review from aarongable aarongable is a code owner automatically assigned from letsencrypt/boulder-developers

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

caa issue/issuewild parameter tags: mixed-case accounturi/validationmethods treated as absent

2 participants

@1seal @aarongable

Comments