From 3d39b6402d8ec5e25a17d272d8a695ca26d0a5ca Mon Sep 17 00:00:00 2001
From: Alex Zorin <alex@zorin.id.au>
Date: Mon, 16 May 2022 12:23:17 +1000
Subject: [PATCH] Add subproblems

- Add subproblem support (rfc8555#section-6.7.1)
- Use subproblems when rejecting identifiers in newOrder
- Block "blocked-domain.example" in the default configuration
---
 acme/problems.go               | 17 +++++++++++++----
 test/config/pebble-config.json |  3 ++-
 wfe/wfe.go                     |  7 ++++---
 3 files changed, 19 insertions(+), 8 deletions(-)

diff --git a/acme/problems.go b/acme/problems.go
index 4404b8fa..2733bc11 100644
--- a/acme/problems.go
+++ b/acme/problems.go
@@ -26,9 +26,11 @@ const (
 )
 
 type ProblemDetails struct {
-	Type       string `json:"type,omitempty"`
-	Detail     string `json:"detail,omitempty"`
-	HTTPStatus int    `json:"status,omitempty"`
+	Type        string           `json:"type,omitempty"`
+	Detail      string           `json:"detail,omitempty"`
+	HTTPStatus  int              `json:"status,omitempty"`
+	Identifier  *Identifier      `json:"identifier,omitempty"`
+	Subproblems []ProblemDetails `json:"subproblems,omitempty"`
 }
 
 func (pd *ProblemDetails) Error() string {
@@ -187,10 +189,17 @@ func BadPublicKeyProblem(detail string) *ProblemDetails {
 	}
 }
 
-func RejectedIdentifierProblem(detail string) *ProblemDetails {
+func RejectedIdentifierProblem(ident Identifier, detail string) *ProblemDetails {
 	return &ProblemDetails{
 		Type:       rejectedIdentifierErr,
 		Detail:     detail,
 		HTTPStatus: http.StatusBadRequest,
+		Subproblems: []ProblemDetails{
+			{
+				Type:       rejectedIdentifierErr,
+				Identifier: &ident,
+				Detail:     fmt.Sprintf("%s is a forbidden domain", ident.Value),
+			},
+		},
 	}
 }
diff --git a/test/config/pebble-config.json b/test/config/pebble-config.json
index b4ffc5e7..10fc5788 100644
--- a/test/config/pebble-config.json
+++ b/test/config/pebble-config.json
@@ -7,6 +7,7 @@
     "httpPort": 5002,
     "tlsPort": 5001,
     "ocspResponderURL": "",
-    "externalAccountBindingRequired": false
+    "externalAccountBindingRequired": false,
+    "domainBlocklist": ["blocked-domain.example"]
   }
 }
diff --git a/wfe/wfe.go b/wfe/wfe.go
index 37e080fb..a4487f74 100644
--- a/wfe/wfe.go
+++ b/wfe/wfe.go
@@ -1417,14 +1417,15 @@ func (wfe *WebFrontEndImpl) verifyOrder(order *core.Order) *acme.ProblemDetails
 				ident.Type, ident.Value))
 		}
 
-		if problem := wfe.validateDNSName(ident.Value); problem != nil {
+		if problem := wfe.validateDNSName(ident); problem != nil {
 			return problem
 		}
 	}
 	return nil
 }
 
-func (wfe *WebFrontEndImpl) validateDNSName(rawDomain string) *acme.ProblemDetails {
+func (wfe *WebFrontEndImpl) validateDNSName(ident acme.Identifier) *acme.ProblemDetails {
+	rawDomain := ident.Value
 	if rawDomain == "" {
 		return acme.MalformedProblem(fmt.Sprintf(
 			"Order included DNS identifier with empty value"))
@@ -1475,7 +1476,7 @@ func (wfe *WebFrontEndImpl) validateDNSName(rawDomain string) *acme.ProblemDetai
 	}
 
 	if wfe.db.IsDomainBlocked(rawDomain) {
-		return acme.RejectedIdentifierProblem(fmt.Sprintf(
+		return acme.RejectedIdentifierProblem(ident, fmt.Sprintf(
 			"Order included an identifier for which issuance is forbidden by policy: %q",
 			rawDomain))
 	}