Return consistent ACME error types for specific cases

2026-01-27 10:18:34 +00:00 · 2023-07-31 12:11:50 +02:00
parent df22b8a303
commit 0d3338ff3a
3 changed files with 10 additions and 10 deletions
--- a/acme/challenge.go
+++ b/acme/challenge.go
@@ -414,7 +414,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		// Note: We might want to use an external service for this.
 		if data.UDID != ch.Value && data.SerialNumber != ch.Value {
 			subproblem := NewSubproblemWithIdentifier(
-				ErrorMalformedType,
+				ErrorRejectedIdentifierType,
 				Identifier{Type: "permanent-identifier", Value: ch.Value},
 				"challenge identifier %q doesn't match any of the attested hardware identifiers %s", ch.Value, []string{data.UDID, data.SerialNumber},
 			)
@@ -442,7 +442,7 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		// Note: We might want to use an external service for this.
 		if data.SerialNumber != ch.Value {
 			subproblem := NewSubproblemWithIdentifier(
-				ErrorMalformedType,
+				ErrorRejectedIdentifierType,
 				Identifier{Type: "permanent-identifier", Value: ch.Value},
 				"challenge identifier %q doesn't match the attested hardware identifier %q", ch.Value, data.SerialNumber,
 			)
@@ -472,11 +472,11 @@ func deviceAttest01Validate(ctx context.Context, ch *Challenge, db DB, jwk *jose
 		// still fail if the challenge value isn't equal to the CSR subject.
 		if len(data.PermanentIdentifiers) > 0 && !slices.Contains(data.PermanentIdentifiers, ch.Value) { // TODO(hs): add support for HardwareModuleName
 			subproblem := NewSubproblemWithIdentifier(
-				ErrorMalformedType,
+				ErrorRejectedIdentifierType,
 				Identifier{Type: "permanent-identifier", Value: ch.Value},
-				"challenge identifier %q doesn't match any of the attested hardware identifiers %q", ch.Value, data.PermanentIdentifiers,
+				"challenge identifier %q doesn't match any of the attested hardware identifiers %s", ch.Value, data.PermanentIdentifiers,
 			)
-			return storeError(ctx, db, ch, true, NewError(ErrorRejectedIdentifierType, "permanent identifier does not match").WithAdditionalErrorDetail().AddSubproblems(subproblem))
+			return storeError(ctx, db, ch, true, NewError(ErrorBadAttestationStatementType, "permanent identifier does not match").WithAdditionalErrorDetail().AddSubproblems(subproblem))
 		}

 		// Update attestation key fingerprint to compare against the CSR
--- a/acme/challenge_test.go
+++ b/acme/challenge_test.go
@@ -3626,7 +3626,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							assert.Equal(t, "non-matching-value", updch.Value)

 							subproblem := NewSubproblemWithIdentifier(
-								ErrorMalformedType,
+								ErrorRejectedIdentifierType,
 								Identifier{Type: "permanent-identifier", Value: "non-matching-value"},
 								`challenge identifier "non-matching-value" doesn't match any of the attested hardware identifiers [udid serial-number]`,
 							)
@@ -3760,7 +3760,7 @@ func Test_deviceAttest01Validate(t *testing.T) {
 							err := NewError(ErrorBadAttestationStatementType, "permanent identifier does not match").
 								WithAdditionalErrorDetail().
 								AddSubproblems(NewSubproblemWithIdentifier(
-									ErrorMalformedType,
+									ErrorRejectedIdentifierType,
 									Identifier{Type: "permanent-identifier", Value: "12345678"},
 									"challenge identifier \"12345678\" doesn't match the attested hardware identifier \"87654321\"",
 								))
--- a/acme/challenge_tpmsimulator_test.go
+++ b/acme/challenge_tpmsimulator_test.go
@@ -282,12 +282,12 @@ func Test_deviceAttest01ValidateWithTPMSimulator(t *testing.T) {
 							assert.Equal(t, ChallengeType("device-attest-01"), updch.Type)
 							assert.Equal(t, "device.id.99999999", updch.Value)

-							err := NewError(ErrorRejectedIdentifierType, `permanent identifier does not match`).
+							err := NewError(ErrorBadAttestationStatementType, `permanent identifier does not match`).
 								WithAdditionalErrorDetail().
 								AddSubproblems(NewSubproblemWithIdentifier(
-									ErrorMalformedType,
+									ErrorRejectedIdentifierType,
 									Identifier{Type: "permanent-identifier", Value: "device.id.99999999"},
-									`challenge identifier "device.id.99999999" doesn't match any of the attested hardware identifiers ["device.id.12345678"]`,
+									`challenge identifier "device.id.99999999" doesn't match any of the attested hardware identifiers [device.id.12345678]`,
 								))

 							assert.EqualError(t, updch.Error.Err, err.Err.Error())